SaaS Flaw Lets BBC Access KPMG's Confidential Documents

On Monday the BBC reported that one of its journalists accidentally stumbled on a news story simply by attempting to log-on to a shared diary his team keeps on the online office collaboration tool Huddle. Instead of gaining access to the diary, he was granted access to KPMG, one of the four largest accounting firms in the world, with full access to private financial documents.

Not a good day for Huddle, which advertises itself as "the global leader in secure content collaboration." Even less of a good day for the folks at KPMG or its clients. Also worrisome for department heads with the UK government. It's reported that 80 percent of UK government departments use the online tool.

The flaw that the Beeb reporter unearthed had evidently been around for at least eight months. After being notified of the problem by the BBC, the Huddle people hopped on the problem, found the flaw and got it fixed, saying that in the process they discovered that "six individual user sessions between March and November this year" had been affected.

They also offered an explanation that's something of a head scratcher, as well as a cautionary tale for developers.

The security issue was caused by a flaw in Huddle's software that was only triggered when two users accessed the same login server simultaneously -- within 20 milliseconds of one another, the company said. When that happened, the server issued both users' devices the same authorization code before passing them on to the next step, where a security token is issued. At that point, since they both have the same authorization code access could be granted to the wrong account.

"With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare," the company added.

"Extremely rare," of course, compromised a major accounting firm and possibly its clients.

The company says it's fixed the system so that the login server always generates a new authorization code.

"We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated," Huddle told the BBC. "We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologize to them unreservedly."

The timing on this issue isn't good for Huddle, which was launched in London in 2006 and now has additional offices in San Francisco and Washington, D.C. Valued at $300 million in 2014, the company has seen increasing pressure from competitors such as Google's Drive and Microsoft's OneDrive, as well as newcomers such as Box. In August the firm was acquired by Turn/River Capital for $89 million, less than a third of what it had been worth three years earlier.